Krebs on Security

In-depth security news and investigation

Adobe, Microsoft Push Critical Security Fixes

Adobe and Microsoft each separately released a raft of updates to fix critical security holes in their software. Adobe pushed patches to plug holes in Adobe Acrobat/Reader and its Flash and Shockwave media players. Microsoft released 14 13 patch bundles to fix at least 47 security vulnerabilities in Windows, Office, Internet Explorer and Sharepoint.

Four of the 13 bulletins Microsoft released today earned the company’s “critical” rating, meaning that on balance they address vulnerabilities that can be exploited by miscreants or malware to break into vulnerable systems without any help from users.

For enterprises and those who need to prioritize the installation of updates, Microsoft recommends installing the Outlook, Internet Explorer and SharePoint Server fixes as soon as possible. The Sharepoint update addresses some ten vulnerabilities, including one that Microsoft says was publicly disclosed prior to today’s patch batch.

Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. Likewise, Internet Explorer 10 should auto-update to the latest version. To find out which version of Flash you have installed, see this page.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Updates for Adobe Acrobat and Reader fix at least eight security holes in these products. For Windows and Mac users with Reader XI, the new version is v. 11.0.04. Users of these software titles can grab the updates from the links at Adobe’s advisory, or from within the software by choosing Help > Check for Updates.

Adobe also released a new version of its Shockwave Player software that fixes at least two flaws, bringing Shockwave to v. 12.0.4.144 on Windows and Mac systems. Updates are available here. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or, in the case of Google Chrome, just downloads it for you), then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

Finally, there is an update for Adobe AIR, which you may have if you’ve installed desktop clients like Pandora or Tweetdeck. Adobe says it is not aware of any exploits or attacks in the wild targeting any of the issues addressed in the updates the company released today. Applications that rely on AIR check for updates upon start, but the latest version (v. 3.8.0.1430) also is available from this link.

Update, 11:06 p.m. ET: Apple just released an update that blocks older versions of Flash from running in Safari on OS X. systems. “Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 11.8.800.94.” That version is not the version of Flash that Adobe released today, but the one it released back in July. Which means if the last time you updated your Flash Player on your Mac was in June, you won’t be able to view Flash content in Safari if you apply the latest Apple updates without also patching Flash.

This entry was posted on Tuesday, September 10th, 2013 at 3:52 pm and is filed under Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

43 comments

Since you’re talking about Flash today, it might be a good time to point out to you that some of your advertisers are using Flash in their ads. I, like many of your readers, use Flash blocking software as part of our online security regimen; so we are not seeing those ads unless we click on them. (And how many of us bother?)

Sometime I would like you to do a story on the source(s) of those Web ads for “free” downloads of Flash Player from non-Adobe sites. They are fairly common on webmail clients and usually involve a green text balloon. Something definitely smells fishy (phishy?) about them.

Debbie, I think Google just hasn’t updated it yet. I noted this in the story above:

“Adobe’s Flash update fixes at least four flaws in the widely-installed media player, and brings the player to version 11.8.800.168 for Mac and Windows users (users of other OSes please see the chart below). Google Chrome should auto-update itself to the latest version for Chrome (11.8.800.170 for Windows, Mac and Linux); Google says it is in the process of rolling out the update, although my test version of Chrome is still stuck at v. 11.8.800.97, even after installing updates for Chrome and restarting. “

I can’t check at the moment because I am logged into a Windows XP user account that lacks administrator privileges, but when I tried to update Flash Player on my Chrome about five hours ago, it remained at 11.8.800.97.

I think it is going to take someone with your stature in the industry to yank Google’s chain about this. Three days after Black Tuesday, none of my home PCs (one XP, two Win7) have auto-updated yet, nor did my work PC. They all claimed they were “up to date”. However, when I downloaded the standalone Chrome installer and installed that (29.0.1547.67) on my work PC (XP), it included the new .170 version of Flash Player.

Indeed. But after waiting FIVE DAYS since Black Tuesday for an auto-update without results, I downl0aded and installed the standalone version on my WinXP netbook at home (since my office PC is also XP). That is the Chrome version number, and it does include Adobe Flash 11.8.800.170.

I installed a new app tonight, Connection Tracker, which pushes notifications of uploaded data and it’s destination. Why would Facebook be continually uploading data to Ireland?

It is nice to see Flash security updates finally! I wonder if this will have an effect on the Google Chrome lack of support, (in practice, a block and ban of Flash). I could not watch an important webcast again today.

It seems to me that Google, by not accepting malware on Chrome, and also by insisting patches be fixed note quickly, has helped to push Microsoft and Adobe to fix these horrific problems. We will see what happens with Google Chrome Flash support. Of course, they could just move to HTML5.

Normally, as you always mention, I have to install Flash twice in Firefox and IE, but today after I installed it in Firefox, I then opened IE and checked for the version and it showed the latest version 11.8.800.168. So for some reason I only had to install it once this time. I definitely hadn’t previously done anything in IE which I seldom use but I keep it up to date per your very useful reminders.

Normally in cases like that you should download the updates by hand and attempt to manually install them, one by one. Sometimes they’ll install without any fuss but other times they’ll kick back error messages that will give you some breadcrumbs to work with, leading you down the path to fixing whatever’s causing them to not install.

Watch out! Are those signed by Microsoft? Check to see if they successfully installed. Uninstall and reinstall, but first check to see if your Microsoft update site is correct in your network protocol. You can check with Microsoft to find out the correct addresses for updates. If they are not signed by Microsoft, they are the fake certs and you are being redirected to a fake Microsoft server for updates.

If they show up as having been successfully installed in your Update History and it also shows they are Microsoft updates and not a blank space for author, then the notices are popups on your bottom right screen? I suggest turning off automatic updates and then run a scan for new updates yourself. (Make sure it is the right address in your Network Protocols to the Microsoft Update server first.) If your own search for updates shows that you need to install something that was successfully installed already, then maybe if you restart your computer to see if this handles it? Before you do anything though, make sure the KB’s are from Microsoft. I do not know if this is the same as Win 7. What you do not want is to install fake updates. This is so important. Make backups of your Office Documents, if you suspect it, on external HDD. One way to tell if you are infected is to take an Office Document which is recent and Select Show All. See if there are any tiny characters, dots or spaces that are not supposed to be there and backspace them out.

Maybe they just require a restart to install, but usually the computer restarts anyway after updates. If you have problems after restart, you will have to call Microsoft Support and tell them it is an update problem. They are supposed to help you for free for that.

I d/l’d all updates that applied to my setup and they
all showed as “successful”. Then, about half hour later
I started getting update notifications on three items
related to Word 2007 that showed as being installed.
Fine, I played the game a couple of times but the items
continued to pop up as required updates.
So I went to Windows update a checked the boxes to
not notify me of those updates again. There was some
Windows whining but that beats my usual whining about
Windows.

Please consider porting apt from the Debian Project to Windows. Not only would this be beneficial to Microsoft’s own updates (think managing dependencies), but it would also be very helpful with keeping 3rd party software updated. With apt modified for Microsoft’s usage in Windows, 3rd party application and platform vendors could simply add repositories to ensure that their software is updated.

As it is now, 3rd party software on Windows has to do one of the following to ensure that it is up-to-date:

o add a new service to manage updates (e.g., Google Chrome, Mozilla Firefox)
o add a new task to the Task Manager to manage updates (e.g., Adobe Flash Player)
o periodically check for updates when the application is running, notify the user when an update is ready to be installed and wait for the user to apply the update (e.g., Opera)

It’s a mess! Windows Store apps that debuted with Windows 8 are strictly Modern UI apps and do not include traditional desktop applications such as Adobe Reader, Oracle Java, etc.

P.S. I’m aware of alternatives from Secunia and FileHippo, but these are 3rd party solutions to a Microsoft Windows problem.

Anyone else getting a bad certificate notice when linking to this string now? I was able to get back in because I still had the tab open on my tablet. If so, please check the certificate information in any warning and write down the Hierarchy info. Do not accept he certificate or proceed. If you have done so, go into preferences and find the bad certificate and remove it. Here is what showed for Hierarchy:

Heads up! A new Flash Player for Internet Explorer, Version 11.8.800.174, is released today. But it’s only for Windows versions and not Windows 8. You can check the link here: http://www.adobe.com/software/flash/about/

The installation of Chrome on my Windows XP PC is STILL has Pepper Flash version 11.8.800.97!

Curiously, it was announced today on http://googlechromereleases.blogspot.com/ that the Chrome browser for Chrome OS has been updated to version 29.0.1547.74 and this version includes Pepper Flash version 11.8.800.170-r1. Things that make you go, “Hmmm…”